CRITs was introduced a bit earlier as a threat intelligence platform (TIP) worth your time to review, if not employ in your enterprise. Let me show a quick example why.
Raise your hands – who has to deal with phishing?
Okay. I couldn’t see who raised their hands, but given its ubiquity within everyone’s enterprise, I’m going to go with just about everyone. You might not deal with it directly but someone in your SOC or security team definitely does.
CRITs contains an entire section on delving into phishing and the data associated with phishing emails. At the simplest level, it provides an interface for you to upload an email. CRITs takes that email and shreds it into pieces, storing all the data within it into searchable fields. It also has a couple of parsers to help assemble interesting indicators from the raw content. Correlation also happens automatically in the background. The targets of the phishing email go into a Targets collection. If you determine a campaign exists, you can then graph the Emails and Targets accordingly. Got an attachment? That is automatically sent to the Samples collection. Depending on what services have been arranged, that file is then unwrapped, detonated in a sandbox, parsed, etc.
Plenty more happens, but you’ll see where I’m going. What gets exposed and what you link then is open for pivoting to find connections. X-Mailer look interesting? Pivot on it and see if you’ve noted it before. Message-ID? Same. Maybe it’s recycled, maybe it’s part of a chain, or maybe it’s unique. You can find out pretty quickly. Want to know if an entire division was targeted in that last phishing campaign? You can determine that pretty quickly with CRITs by using the Targets collection. How about whether one or a group of people seems to constantly get targeted? Again, use that Targets collection. While CRITs doesn’t natively support the idea of tracking an item (laptop, computer, etc.) with a small bit of finagling you can make it show the same information by item as well.
CRITs has a lot of capability under the hood. If you are struggling with phishing, it can be a powerful tool in your arsenal. Especially if you are looking to connect that phishing activity to an Actor focused on your enterprise.